Release notes/1.26

Security reminder: If you have PHP's register_globals option set, you must turn it off. MediaWiki will not work with it enabled.

MediaWiki 1.26.4

edit

This is a security and maintenance release of the MediaWiki 1.26 branch.

Changes since 1.26.3

edit
  • BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
  • (T124163) Fixed fatal error in DifferenceEngine under HHVM.
  • (T139565) SECURITY: API: Generate head items in the context of the given title
  • (T137264) SECURITY: XSS in unclosed internal links
  • (T133147) SECURITY: Escape '<' and ']]>' in inline ‎<style> blocks
  • (T133147) SECURITY: Require login to preview user CSS pages
  • (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  • (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  • (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  • (T115333) SECURITY: Check read permission when loading page content in ApiParse
  • Remove support for $wgWellFormedXml = false, all output is now well formed

MediaWiki 1.26.3

edit

This is a maintenance release of the MediaWiki 1.26 branch.

Changes since 1.26.2

edit
  • (bug T116266) Fixed undefined property notices in DairikiDiff under HHVM.
  • (bug T123166) Fix fatal error when importing pages to titles which cannot be created, such as invalid titles or titles the user is not allowed to edit.
  • (bug T122056) Old tokens are remaining valid within a new session
  • (bug T127114) Login throttle can be tricked using non-canonicalized usernames
  • (bug T123653) Cross-domain policy regexp is too narrow
  • (bug T123071) Incorrectly identifying http link in a's href attributes, due to m modifier in regex
  • (bug T129506) MediaWiki:Gadget-popups.js isn't renderable
  • (bug T125283) Users occasionally logged in as different users after SessionManager deployment
  • (bug T103239) Patrol allows click catching and patrolling of any page
  • (bug T122807) [tracking] Check php crypto primatives
  • (bug T98313) Graphs can leak tokens, leading to CSRF
  • (bug T130947) Diff generation should use PoolCounter
  • (bug T133507) Careless use of $wgExternalLinkTarget is insecure
  • (bug T132874) API action=move is not rate limited
  • (bug T110143) strip markers can be used to get around html attribute escaping in ([[phabricator:TExpression error: Unrecognized word "many".|bug MANY?]]) parser tags
  • (bug T116030) Increase pbkdf2 parameter strengths
  • (bug T127420) Pbkdf2Password does not check if hash_pbkdf2(bug ) succeeded
  • (bug T126685) Globally throttle password attempts

MediaWiki 1.26.2

edit

This is a maintenance release of the MediaWiki 1.26 branch.

Changes since 1.26.1

edit
  • (bug T121892) Various special pages resulted in fatal errors.

MediaWiki 1.26.1

edit

This is a security release of the MediaWiki 1.26 branch.

Changes since 1.26.0

edit
  • (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
  • (bug T119309) SECURITY: Use hash_compare() for edit token comparison
  • (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
  • (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
  • (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
  • (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki
  • Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
  • Fixed stray literal \n in Special:Search.
  • Fix issue that breaks HHVM Repo Authorative mode.
  • (bug T120267) Work around APCu memory corruption bug

MediaWiki 1.26.0

edit

MediaWiki 1.26 is a stable branch and is recommended for use in production.

Configuration changes

edit
  • $wgPasswordResetRoutes ['email'] = true by default.
  • $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE instead if you want to disable the parser cache.
  • New-style continuation is now the default for API action=continue. Clients may use the 'rawcontinue' parameter to receive raw query-continue data, but the new style is encouraged as it's harder to implement incorrectly.
  • Deprecated API formats dump and wddx have been completely removed.
  • (T7645) The "Signature" button on the edit toolbar is now hidden by default in non-talk namespaces. A new configuration variable, $wgExtraSignatureNamespaces , controls in which subject (non-talk) namespaces the "Signature" button on the edit toolbar will be displayed.
  • $wgResourceLoaderUseESI was deprecated and removed. This was an experimental feature that was never enabled by default.
  • $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed. This experimental feature was never enabled by default and is obsolete as of MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
  • $wgMasterWaitTimeout was removed (deprecated in 1.24).
  • Fields in ParserOptions are now private. Use the accessors instead.
  • Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or in extension.json) have been removed, after being deprecated in 1.24.
  • $wgAlwaysUseTidy has been removed.
  • ResetSessionID hook has been removed. Nothing seems to use it.
  • Certain AuthPlugin methods are deprecated in favor of new hooks:
    • AuthPlugin::initUser() is replaced by LocalUserCreated.
    • AuthPlugin::updateUser() is replaced by UserLoggedIn.
    • AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
    • AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
    • AuthPluginUser::isHidden() is replaced by UserIsHidden.
    • AuthPluginUser::isLocked() is replaced by UserIsLocked.
  • The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
  • AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace the passed User object.
  • $wgBlockAllowsUTEdit is now set to true by default. This allows blocked users to edit their talk pages unless explicitly disabled when they are being blocked.

New features

edit
  • (T51506) Now action=info gives estimates of actual watchers for a page. See $wgRCMaxAge , $wgWatchersMaxAge and $wgUnwatchedPageSecret to learn how to configure if needed.
  • Change tags can now be hidden in the interface by disabling the associated "tag-<id>" interface message.
  • ':' (colon) is now invalid in usernames for new accounts. Existing accounts are not affected.
  • Added a new hook, 'LogException', to log exceptions in nonstandard ways.
  • Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of search results are rendered. The initial use case is to append a "give us feedback" link beneath the search results.
  • Added a new hook, 'RejectParserCacheValue', which allows extensions to reject an otherwise-successful parser cache lookup. The intent is to allow extensions to manage the eviction of archaic HTML output from the cache.
  • (T68699) The expiration of the UserID and Token login cookies ($wgExtendedLoginCookieExpiration ) can be configured independently of the expiration of all other cookies ($wgCookieExpiration ).
  • (T50519) Support for generating JPEG/PNG thumbnails from WebP images added if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading of WebP images still disabled by default. Add $wgFileExtensions [] = 'webp'; to LocalSettings.php to enable uploading of WebP images.
  • Added new hooks 'EnhancedChangesListModifyLineData' & 'EnhancedChangesListModifyBlockLineData', to modify the data used to build lines in enhanced recentchanges and watchlist.
  • Caches that need purging ability now use the WANObjectCache interface. This corresponds to a new $wgMainWANCache setting, which defaults to using the $wgMainCacheType settings.
  • Callers needing fast light-weight data stores use $wgMainStash to select the store type from $wgObjectCaches . The default is the local database.
  • Interface message overrides in the MediaWiki namespace will now be cached in memcached and APC (if available), rather than memcached and local files.
  • Added a new hook, 'RandomPageQuery', to allow modification of the query used by Special:Random to select random pages.
  • $wgTransactionalTimeLimit was added, which controls the request time limit for potentially slow POST requests that need to be as atomic as possible.
  • ResourceLoader now loads all scripts asynchronously. The top-queue and startup modules are no longer synchronously loaded.
  • 'mediawiki.ui.button' styles are no longer unconditionally loaded on every page. During the deprecation period, the styles will only be loaded on pages which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will only be loaded if explicitly required.
  • If search returns zero results and current search engine has a "did you mean" suggestion, results for suggestion will be shown. Can be disabled by setting $wgSearchRunSuggestedQuery to false.
  • Added several JavaScript libraries for uploading files to MediaWiki from the client-side. See documentation for mw.Upload and its subclasses for more information.
  • Added OOUI dialogs and layout for file upload interfaces. See documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its subclasses for more information.

extension.json changes

edit
  • (T99344) The extension.json schema is now versioned. All extensions and skins should set a "manifest_version" property corresponding to the schema version they were written for. The only supported version currently is "1".
  • (T102523) The error message if a non-array attribute is set was improved.
  • (T107646) Configuration settings can now specify how they should be merged, which is necessary for arrays using integer keys.
  • (T110389) Adding namespaces through extension.json now actually works
  • $wgNamespaceProtection can now be set in extension.json.
  • $wgCapitalLinkOverrides can now be set in extension.json.
  • (T97186) Extensions using a custom prefix for their configuration settings can now set a "_prefix" key to override the default of "wg".
  • (T99084) Extensions can now specify what MediaWiki core versions they depend upon.
  • (T105236) The extension.json schema now validates custom classes in the "ResourceModules" property properly.

External library changes

edit

Upgraded external libraries

edit

New external libraries

edit

Removed and replaced external libraries

edit

Bug fixes

edit

Action API changes

edit
  • New-style continuation is now the default for action=continue. Clients may use the 'rawcontinue' parameter to receive raw query-continue data, but the new style is encouraged as it's harder to implement incorrectly.
  • Deprecated API formats dump and wddx have been completely removed.
  • API action=query&list=tags: The displayname can now be boolean false if the tag is meant to be hidden from user interfaces.
  • action=import no longer allows both the namespace= and rootpage= parameters to be set. If they are both set, the value of rootpage= will be ignored.
  • prop=revision output in enum mode is now sorted by timestamp rather than revision ID. This usually won't make any difference.
  • (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array with formatversion=2.
  • Various other output from meta=siteinfo will now always be arrays instead of sometimes being numerically-indexed objects with formatversion=2.
  • When errors about users being blocked are returned, they now include information about the relevant block.
  • (T99926) list=random has higher limits, in line with other API modules.
  • list=random's rnredirect parameter is deprecated in favor of a new rnfilterredir parameter that also allows for listing both redirects and non-redirects.
  • list=random now supports continuation.
  • API responses to GET requests may now include ETag and Last-Modified headers, and will honor corresponding If-None-Match and If-Modified-Since on such requests.

Action API internal changes

edit
  • New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key into the value when the value is an assoc.
  • API action modules may now provide values for the RFC 7232 ETag and Last-Modified headers. The API will check these against If-None-Match and If-Modified-Since request headers on GET requests and avoid executing the module when appropriate.

Languages updated

edit

MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.

  • Languages added:
    • ase (American sign language), thanks to translator Icemandeaf
    • dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द, मेश सिंह बोहरा, and राम प्रसाद जोशी
    • luz (لئری دوٙمینی / Southern Luri)
    • olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi, Ilja.mos, and Mashoi7

Other changes

edit
  • ChangeTags::tagDescription() will return false if the interface message for the tag is disabled.
  • Added PageHistoryPager::doBatchLookups hook.
  • Added $wikiId parameter to FormatAutocomments hook.
  • Added ParserCacheSaveComplete to ParserCache
  • supportsDirectEditing and supportsDirectApiEditing methods added to ContentHandler, to provide a way for ApiEditPage and EditPage to check if direct editing of content is allowed. These methods return false, by default for the ContentHandler base class and true for TextContentHandler and it's derivative classes (everything in core). For Content types that do not support direct editing, an alternative mechanism should be provided for editing, such as action overrides or specific api modules.
  • mediaWiki.confirmCloseWindow now returns an object of functions, instead of one function. The callback can't be called directly any more. The callback function is replaced with confirmCloseWindow.release().
  • BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to ResourceLoaderModule::getDependencies(). Extension classes that override that method should be updated. If they aren't updated, PHP Strict standards warnings will appear when E_STRICT error reporting is enabled. Note: in the near future, this parameter will probably become non-optional.
  • Removed maintenance script deleteImageMemcached.php.
  • MWFunction::newObj() was removed (deprecated in 1.25). ObjectFactory::getObjectFromSpec() should be used instead.
  • The parser will no longer randomize the string it uses to mark the place of items that were stripped during parsing. It will use a fixed string instead. This causes the parser to re-use the regular expressions it uses to search and replace markers rather than generate novel expressions on each parse. Re-using regular expressions will improve performance on HHVM and the forthcoming PHP 7. The interfaces changes accompanying this change are:
    • - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
    • - The $uniq_prefix argument for Parser::extractTagsAndParams() and the $prefix argument for StripState::_construct() are deprecated and their value is ignored.
  • wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library, mediawiki/at-ease, and are now deprecated. Callers should use MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
  • The Block class constructor now takes an associative array of parameters instead of many optional positional arguments. Calling the constructor the old way will issue a deprecation warning.
  • The jquery.mwExtension module was deprecated.
  • $wgSpecialPageGroups was removed (deprecated in 1.21).
  • SpecialPageFactory::setGroup was removed (deprecated in 1.21).
  • SpecialPageFactory::getGroup was removed (deprecated in 1.21).
  • DatabaseBase::ignoreErrors() is now protected.
  • BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following a lengthy deprecation period.
  • The ScopedPHPTimeout class was removed.
  • Removed maintenance script fixSlaveDesync.php.
  • Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption() are deprecated. Applications using those can work via the OAuth extension instead. New tokens types should not be added.
  • DatabaseBase::errorCount() was removed (unused).
  • $wgDeferredUpdateList was removed.
  • DeferredUpdates::addHTMLCacheUpdate() was removed.

Compatibility

edit

MediaWiki 1.26 requires PHP 5.3.3 or later. There is experimental support for HHVM 3.3.0.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for Oracle and Microsoft SQL Server.

The supported versions are:

  • MySQL 5.0.3 or later
  • PostgreSQL 8.3 or later
  • SQLite 3.3.7 or later
  • Oracle 9.0.1 or later
  • Microsoft SQL Server 2005 (9.00.1399)

Upgrading

edit

1.26 has several database changes since 1.25, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).

BREAKING CHANGE: if your wiki uses the default $wgDisableCounters setting, upgrading to this version (or later) will irreversibly destroy all data in your database. See Extension:HitCounters for a non-destructive upgrade method.

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.25.x and older releases, see HISTORY.

Online documentation

edit

Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Documentation

Mailing list

edit

A mailing list is available for MediaWiki user support and discussion:

https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help

edit

There's usually someone online in the IRC channel #mediawiki connect.